Method and apparatus for enhancing computer system security

US 6,564,326 B2
Filed: 10/24/2001
Issued: 05/13/2003
Est. Priority Date: 07/06/1999
Status: Expired due to Fees

First Claim

Patent Images

1. In a computer system including a central processor unit, said central processor being plugged into a first socket on a first circuit board, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto through said first socket, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said respective plurality of control signal lines, said first control signal line including a first control signal, a method for enhancing the security of said computer system, said method comprising:

removing said central processor unit from said first socket;

replacing said central processor by plugging a module into said first socket, said module further having a second socket substantially identical to said first socket;

plugging said central processor unit into said second socket on said module; and

intercepting said first control signal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security enhanced computer system arrangement includes a coprocessor and a multiprocessor logic controller inserted into the architecture of a conventional computer system. The coprocessor and multiprocessor logic controller is interposed between the CPU of the conventional computer system to intercept and replace control signals that are passed over certain of the critical control signal lines associated with the CPU. The multiprocessor logic controller arrangement thereby isolates the CPU of the conventional computer system from the remainder of the conventional computer system, permitting separate control over the CPU and separate control over the remainder of the computer system. By controlling the control signals that are normally passed between the CPU and the remainder of the computer system, the multiprocessor logic controller permits the coprocessor to perform highly secure operations. These secure operations, selectable by a trusted operator or built in to a cooperating operating system, verify that the computer system is a trusted computing base which can be relied upon to perform its operations properly and without compromise.

119 Citations

View as Search Results

42 Claims

1. In a computer system including a central processor unit, said central processor being plugged into a first socket on a first circuit board, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto through said first socket, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said respective plurality of control signal lines, said first control signal line including a first control signal, a method for enhancing the security of said computer system, said method comprising:
- removing said central processor unit from said first socket;
  
  replacing said central processor by plugging a module into said first socket, said module further having a second socket substantially identical to said first socket;
  
  plugging said central processor unit into said second socket on said module; and
  
  intercepting said first control signal.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method in accordance with claim 1, wherein said step of intercepting said first control signal comprises:
3. A method in accordance with claim 1, wherein said first control signal is a clock signal.
4. A method in accordance with claim 1, wherein said first control signal is a interrupt signal.
5. A method in accordance with claim 1, wherein said first control signal is a write strobe signal.
6. A method in accordance with claim 1, wherein said first control signal is a read strobe signal.
7. A method in accordance with claim 1, wherein said first control signal is a data ready signal.
8. A method in accordance with claim 1, wherein said module comprises a multi-chip module.
9. A method in accordance with claim 1, wherein said module comprises an Application Specific Integrated Circuit (ASIC) module.

10. A method for providing computer security, comprising the steps of:
- providing a first processor having a plurality of terminals for receiving a first plurality of control signals coupled thereto;
  
  providing a second processor;
  
  preventing, with a multiprocessor logic controller, reception of at least one of said first plurality of control signals by said first processor and substituting at least one of a second plurality of control signals in place of said one of said first plurality of control signals, and selectively enabling said first processor and said second processor, respectively, wherein, during said preventing reception, said multiprocessor logic controller assigns a second memory address space to said second processor and a first memory address space to said first processor, and wherein said second memory address space is non-accessible to said first processor.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. A method in accordance with claim 10, wherein said one of said first plurality of control signals is a clock signal.
  - 12. A method in accordance with claim 10, wherein said one of said first plurality of control signals is an interrupt signal.
  - 13. A method in accordance with claim 10, wherein said one of said first plurality of control signals is a write strobe signal.
  - 14. A method in accordance with claim 10, wherein said one of said first plurality of control signals is a read strobe signal.
  - 15. A method in accordance with claim 10, wherein said one of said first plurality of control signals is a data ready signal.

16. A multiple processor system comprising:
- a first processor having a plurality of terminals for receiving a first plurality of control signals coupled thereto;
  
  a second processor;
  
  a multiprocessor logic controller for preventing reception of at least one of said first plurality of control signals by said first processor and for substituting at least one of a second plurality of control signals in place of said one of said first plurality of control signals, and for selectively enabling said first processor and said second processor, respectively, wherein, during said preventing reception, said multiprocessor logic controller assigns a second memory address space to said second processor and a first memory address space to said first processor, and wherein said second memory address space is non-accessible to said first processor;
  
  wherein said first processor, said second processor and said multiprocessor logic controller are integrated on a system common motherboard.

17. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, a method for enhancing the security of said computer system, said method comprising:
- providing a second processor having an associated logic controller;
  
  detecting start up of said computer system;
  
  capturing control of said central processing unit by halting said central processor unit in response to said step of detecting start up of said computer system;
  
  wherein said halting step includes sending a hold signal to said central processor unit from said logic controller; and
  
  wherein, in response to said hold signal, said central processor unit places one or more circuits associated with the central processor unit into a high impedance state;
  
  verifying a first critical program area in said memory with said second processor;
  
  releasing control of said central processor unit by said logic controller to run said critical program if said first critical program area is verified;
  
  wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said step of releasing control.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. A method in accordance with claim 17, wherein, in response to said hold signal, said central processor unit places one or more circuits associated with the address signals of the central processor unit in a high impedance state.
  - 19. method in accordance with claim 17, wherein, in response to said hold signal, said central processor unit places one or more circuits associated with the data signals of the central processor unit in a high impedance state.
  - 20. A method in accordance with claim 17, wherein said central processor unit includes a clock signal input for receiving a clock signal, and wherein said step of capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system comprises:
21. A method in accordance with claim 17, wherein said step of capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system comprises:
- intercepting said first control signal.
22. A method in accordance with claim 21, wherein said step of intercepting said first control signal comprises:
- redirecting said first control signal line from said central processor unit to said second processor thereby intercepting said first control signal; and
  
  substituting a second control signal to/from said second processor in place of said first control signal.
23. A method in accordance with claim 22, wherein said step of releasing control of said central processor unit to run said critical program, includes the step of further redirecting said first control signal line such that control of said central processor unit is released by said logic controller.
24. A method in accordance with claim 17, wherein said step of capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system comprises:
- intercepting an interrupt vector address signal.
25. A method in accordance with claim 17, wherein said step of capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system comprises:
- intercepting a data strobe signal.
26. A method in accordance with claim 17, wherein said step of capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system comprises:
- intercepting an address strobe signal.
27. A method in accordance with claim 17, wherein said step of capturing control of said central processor unit by said logic controller responsive to said step of detecting start up of said computer system comprises:
- intercepting a data ready signal.
28. A method in accordance with claim 17, wherein said step of detecting start up of said computer system comprises:
- detecting power up of said computer system.
29. A method in accordance with claim 17, wherein said step of detecting start up of said computer system comprises:
- detecting hard system reset of said computer system.

30. In a computer system including a memory and a central processor unit, said central processor unit having respective address signals, data signals and a plurality of control signals coupled thereto, said plurality of control signals provided to/from said central processor unit on a respective plurality of control signal lines including a first control signal line being one of said plurality of control signal lines, said first control signal line including a first control signal, said computer system having at least one critical program area stored in said memory, an apparatus for enhancing the security of said computer system, said apparatus comprising:
- a second processor having an associated logic controller;
  
  means for detecting start up of said computer system;
  
  wherein the logic controller captures control of said central processing unit by halting said central processor unit in response to said detecting start up of said computer system;
  
  wherein said logic controller halts said central processor by sending a hold signal to said central processor unit; and
  
  wherein, in response to said hold signal, said central processor unit places one or more circuits associated with the central processor unit into a high impedance state;
  
  means for verifying a first critical program area in said memory with said second processor;
  
  means for releasing control of said central processor unit by said logic controller to run said critical program if said first critical program area is verified;
  
  wherein said second processor, said logic controller, and operation of circuitry associated with said second processor and said logic controller are invisible to all other portions of said computer system, with the exception of a BIOS extension associated with said logic controller, subsequent said releasing control.
- View Dependent Claims (31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 31. An apparatus in accordance with claim 30, wherein, in response to said hold signal, said central processor unit places one or more circuits associated with the address signals of the central processor unit in a high impedance state.
  - 32. An apparatus in accordance with claim 30, wherein, in response to said hold signal, said central processor unit places one or more circuits associated with the data signals of the central processor unit in a high impedance state.
  - 33. An apparatus in accordance with claim 30, wherein said central processor unit includes a clock signal input for receiving a clock signal, further comprising:
34. An apparatus in accordance with claim 30, further comprising:
- means for intercepting said first control signal.
35. An apparatus in accordance with claim 30, further comprising:
- means for redirecting said first control signal line from said central processor unit to said second processor thereby intercepting said first control signal; and
  
  means for substituting a second control signal to/from said second processor in place of said first control signal.
36. An apparatus in accordance with claim 35, wherein said means for releasing control of said central processor unit to run said critical program, includes means for further redirecting said first control signal line such that control of said central processor unit is released by said logic controller.
37. An apparatus in accordance with claim 30, further comprising:
- means for intercepting an interrupt vector address signal.
38. An apparatus in accordance with claim 30, further comprising:
- means for intercepting a data strobe signal.
39. An apparatus in accordance with claim 30, further comprising:
- means for intercepting an address strobe signal.
40. An apparatus in accordance with claim 30, further comprising:
- means for intercepting a data ready signal.
41. An apparatus in accordance with claim 30, wherein said means for detecting start up of said computer system comprises:
- means for detecting power up of said computer system.
42. An apparatus in accordance with claim 30, wherein said means for detecting start up of said computer system comprises:
- means for detecting hard system reset of said computer system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Helbig Company LLC
Original Assignee
The Helbig Company LLC
Inventors
Helbig, Walter A. Sr.
Primary Examiner(s)
Wright, Norman M.

Application Number

US10/055,786
Publication Number

US 20020166062A1
Time in Patent Office

566 Days
Field of Search

713/200, 713/201, 714/46, 714/47, 714/9, 714/39
US Class Current

726/34
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 21/575   Secure boot

G06F 2221/2101   Auditing as a secondary aspect

Method and apparatus for enhancing computer system security

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

119 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for enhancing computer system security

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links